When attempting to use Azure Active Directory for application authentication, a user may encounter the error below:
The intent of this article is to guide users on where to find the reply URL specified in the request and the reply URL configured in the application. Understanding the corresponding values and locations will enable users to efficiently understand and troubleshoot this issue.
Step 1: Understanding the properties displayed in the error screen.
(1)At the top of the page, the numeric value in the URL is the reply URL specified in the request.
(2)Towards the bottom of the page, we can see the URL configured for the application.
Step 2: Finding the reply URL specified in the request.
In the Semarchy.xml file, the reply URL is specified with the issuer. We can see the numeric value here matches the value from the login URL above denoted with 1.
Step 3: Finding the URL configured for the application (in Azure Active Directory).
Navigate to the Azure Active Directory portion of the Azure Portal. From Default Directory > App registrations > Context of your Azure AD application. In the screenshot below, we can see the Application ID in Semarchy.xml is pointing to Test App. In the first screenshot below, we can see that the application is named Test App, as well as the Object ID and Application ID for Test App.
Under Endpoints in Test App, we can see the Directory (tenant) ID matches the first error in the login.microsoftonline.com URL.
Step 4: Problem Analysis and Resolution.
The Client ID value from Semarchy.xml has a corresponding value in Azure Active Directory. Client ID specifies which Azure Active Directory application holds the corresponding redirect URL. Below, we can see the actual setting for SEMARCHYACTIVEDIRECTORYSERVICE application. Note the navigation path/context, and where the Redirect URI value is entered. Keep in mind, this issue is not related to the configured value of the Redirect URI, rather it is related to the Client ID of the application specified in Semarchy.xml. The Client ID from Semarchy.xml needs to match the correct Application (client) ID in Azure Active Directory, as shown below. Here, the Semarchy.xml clientId value correctly matches the Application (client) ID for SEMARCYACTIVEDIRECTORYSERVICE application.
The root issue is a mismatch of objects between two separate Azure Active Directory services. While Semarchy.xml is configured to use SEMARCHYACTIVEDIRECTORYSERVICE, which has an Application ID starting with 1c0b18ee-..xx, it is currently misconfigured by pointing to the Application ID for Test App (which has Application ID starting with 5994e11b-..xx). For this scenario, it should be configured to use Application ID 1c0b18ee-a7e4-450b-.xx.
The resolution is ensuring the values from Semarchy.xml correctly match the corresponding values from the Azure Active Directory application.
This can be completed by either
a) changing the Semarchy.xml to point to the correct Application ID for SEMARCHYACTIVEDIRECTORYSERVICE.
b) changing values in Test App to work with the configuration.
Please refer to our official documentation Semarchy xDM on Azure for detailed steps on this process.